CoreText exploit analyzed

An analysis has been conducted on the recently-uncovered CoreText exploit, to determine exactly how it worked. The expolit crashed apps when malicious text messages and emails were opened on iOS devices and Macs. The exploit had to do with negative-length strings, according to The Register

Apple's CoreText rendering system uses signed integers to pass around array indexes and string lengths. A negative length, -1, is passed unchecked to a library function which uses it as an unsigned long integer to set the bounds of an array. This causes the library to attempt to read beyond the end of an array and into unallocated memory, triggering a fatal exception.

Apple is rumored to have fixed this exploit in both Mavericks and iOS 7. In the meantime, iOS 6 and Mountain Lion users affected by this issue can use the workaround from our own Nick Arnott.

While it would be nice to see a patch for iOS 6 and OS X 10.8, it's worth noting that the jailbreak solution is a workaround to prevent the crash, not a fix of the original bug. The jailbreak developer is also afforded the luxury of being able to quickly release updates for his workaround as he improves it and minimal testing is done. While a fix from Apple would require a lot more work to try and ensure that they fix it and fix it properly on the first shot. I'm not saying they shouldn't have fixed it by now, just that you can't point to the jailbreak workaround and treat is as an equivalent to Apple patching a low-level system bug.